
The EU AI Act is the world's first comprehensive AI regulation. Every company placing AI systems on the EU market — regardless of where you are headquartered — must comply. This guide covers everything your organization needs to know.
If any of the following statements is true, your organization must comply with the EU AI Act.
Your company is established in the EU and develops, deploys, or uses AI systems in any capacity.
Your company is outside the EU but places AI systems on the EU market or the output is used in the EU.
You are an EU-based organization using AI systems in your operations, regardless of where the system was developed.
The EU AI Act has extraterritorial scope. A US, Chinese, or Indian company selling AI tools to EU clients must comply. Non-EU providers must appoint an EU Authorized Representative. Both the provider (developer) and deployer (user) share liability under the Act's chain of responsibility framework.
Every AI system your organization uses must be classified into one of four risk tiers. Each tier carries different compliance obligations.
Banned entirely. Cannot be placed on the EU market under any circumstances.
Full compliance required: risk management, documentation, human oversight.
Users must be informed they are interacting with AI.
No mandatory obligations. Voluntary codes of conduct encouraged.
AI systems for remote biometric identification, biometric categorization, and emotion recognition. Includes real-time and post-systems.
AI systems intended to be used as safety components in the management and operation of road traffic, supply of water, gas, heating, and electricity.
AI systems used to determine access or admission, evaluate learning outcomes, or assess appropriate level of education.
AI systems used for recruitment, promotion, termination, task allocation, and performance monitoring.
AI systems used to evaluate credit scores, creditworthiness, or establish access to essential services.
AI systems used by law enforcement for risk assessment, polygraphs, evidence evaluation, crime analytics, and facial recognition.
AI systems used by competent authorities for assessing asylum applications, visa applications, and border control.
AI systems used for assisting judicial decisions and influencing voting behavior in elections.
If your organization uses any high-risk AI system, these 8 mandatory requirements apply. Each must be documented and auditable.
A continuous, iterative process run throughout the entire lifecycle of the AI system (Article 9). Must identify, estimate, and evaluate risks to health, safety, and fundamental rights.
Training, validation, and testing datasets must meet quality criteria including relevance, representativeness, completeness, accuracy, and freedom from errors (Article 10).
Must be drawn up before placing the system on the market, demonstrating compliance and providing authorities with necessary information (Article 11).
Automatic logging of events during operation to enable traceability and monitoring of the system's functioning (Article 12).
Systems must be designed so deployers can understand output and use it appropriately. Instructions for use must be provided (Article 13).
Must enable natural persons to interpret output, decide not to use the system, and intervene on operation (Article 14).
Must achieve appropriate levels consistent with intended purpose, including resilience against errors and cybersecurity attacks (Article 15).
A systematic, documented approach ensuring compliance including procedures for design, testing, validation, and post-market monitoring (Article 17).
The EU AI Act applies in stages. Missing any of these deadlines exposes your organization to penalties.
If your organization has not started preparing, follow this roadmap to achieve compliance before the August 2026 deadline.
The EU AI Act establishes a tiered penalty structure. Use the calculator below to estimate your organization's exposure.
For prohibited AI practices under Article 5. Applies to social scoring, manipulation, and banned biometric systems.
For violations of high-risk AI system obligations or failure to comply with authority requests.
For providing incorrect information to authorities or failing to comply with transparency obligations.
A practical checklist for organizations preparing for EU AI Act compliance. Click each item to track your progress.
Establishing clear roles and responsibilities is essential for ongoing compliance. This matrix shows who owns what.
Senior oversight body responsible for strategic AI governance decisions, policy approval, and regulatory alignment.
StrategicOperational role managing risk assessments, compliance monitoring, incident response, and day-to-day governance.
OperationalEnsures regulatory compliance, manages documentation, liaises with supervisory authorities, and tracks regulatory updates.
RegulatoryThese scenarios illustrate how the EU AI Act applies to common real-world situations your organization may face.
Situation: The board of a mid-size financial institution discovers their compliance team has been using an AI-powered credit scoring tool for 8 months without proper risk assessment. A customer complaint triggered the investigation.
Questions:
Answers:
Situation: A US-based SaaS company provides AI-powered HR analytics tools to EU clients. A German client reports that the tool may be biased against candidates over 50. The company has no EU presence and claims EU law doesn't apply.
Questions:
Answers:
Situation: An organization uses a third-party AI tool for document classification. The vendor releases an update that changes the underlying model without notice. The new model starts misclassifying sensitive documents, leading to a potential data breach.
Questions:
Answers:
Quick assessment to verify your team's understanding of the EU AI Act. 10 questions covering all key areas.
This guide is maintained by Executive Shield Partners, a leading governance, risk, and compliance advisory firm specializing in AI regulation. We help organizations worldwide navigate the complex regulatory landscape with practical, actionable guidance.
This content is provided for informational purposes and does not constitute legal advice. Always consult qualified legal counsel for your specific situation.